My apologies to the moderator if I am mistaken in posting this here, but I'm interested in finding a good range of opinion and I have basically until the 27th to do so as I go to court in the US May 28th, 8:30am.

Uniquely, for this discussion only, I should note that I am of African-American descent. Yesterday, on a desktop Mac running 10.5.6 w/o anti-virus, I chose "restore previous" when I launched FireFox 3.0.

To my surprise, one of the two pages which auto restored was Yahoo Search. I never use Yahoo search. The search field had a search term in it which happens to be an offense racial slur pertaining to---you got it--African-Americans.

It's not my habit to insult and offend myself, so obviously I didn't do this.

What forensic data can I find in Mozilla which might show time and date stamp for the file holding the "restore previous" data? Does anybody here know how you'd manipulate that file to create the restore described above? I noticed that the search shows in the history drop down, but I cannot see any time or date stamps there.

My opponent in court is the only one in the last 30 years or so who has thrown that particular racial slur my way and happens to live adjacent to me in the same building, well within WiFi range. This person has the resources to hire somebody to break WPA2, which is what I think happened.

My wife's mac, for months, has frequently lost wifi connection while my windows laptops never lose it. Could this be the result of deauthentication from a wpa cracking tool? The Mac desktop is not on wireless, but if her machine was compromised, this may have allowed access to the desktop.

I haven't seen any indication of compromise of the other computers, but I have taken the following steps:
1. Put up a new access point with a 40 character random WPA2 password. The old password was ten digits.
2. Left up the old access point but with nothing attached to it. Hoping maybe this will keep an intruder busy on the old network. Maybe I should change the key there to give them a reason why they don't see any machines.
3. I'm writing this and changing passwords from within a Linux VM on a machine not normally on the network.
4. Setting up logging for the router. I did not see any unknown mac addresses in the most recent DHCP list, but I would have no way of seeing a static.
5. This is embarassing---installing A/V on the Macs.

I'm open to suggestions as to how to secure the network and what steps to take forensincally to try to identify how this happened. I do have time machine backups for the desktop which might be useful.

I've also noticed that neither Mac can complete the "Housecall" online a/v scan.

-Bob

PS The neighbor has falsely accused me of illegal activity directed towards her. It would be complicating if she had access to emails pertaining to the preparations for the case and it would be very bad if she was able to plant anything on the computers, such as illegal content, keyloggers, etc.

Do you leave near Fort Meade? Because this is highly unlikely, unless you have a default access point key.

Quote:

Does anybody here know how you'd manipulate that file to create the restore described above?

Why use a tool to do that when everything you describe in your post smells more like a Trojan horse.

Attacking your wireless is only half a job, someone would have to then hack your computer. An attacker is better placed to send you a link to an infected web page and infect your computer and take control of it. This would explain how no additional MAC addresses appear in your wireless router.

Quote:

I'm open to suggestions as to how to secure the network and what steps to take forensincally to try to identify how this happened.

Well, securing your network s cheaper than forensically investigating what has happened. To secure it you should format everything and rebuild everything with new passwords and a new configuration. To investigate what has happened you need to unplug everything, copy it without modifying it, then using some very expensive software and some skills that you probably don't have and a considerable amount of time which you also don't have.

Do you leave near Fort Meade? Because this is highly unlikely, unless you have a default access point key.

Hi, Matt
Thanks for your reply. I don't live near Fort Meade, but the latest I've read on WPA crack tools indicate that my key was very vulnerable. It was ten numbers, no alpha or punctuation. Using some of the new tools which utilize the GPU of high end graphics cards, this would apparently be very easy to do.

Quote:

Why use a tool to do that when everything you describe in your post smells more like a Trojan horse.

I wish it were a Trojan. It very well may be, but it still smells fishy because of the history of the person taking me to court. The choice of the search term is just too convenient of a coincidence

Quote:

Attacking your wireless is only half a job, someone would have to then hack your computer. An attacker is better placed to send you a link to an infected web page and infect your computer and take control of it. This would explain how no additional MAC addresses appear in your wireless router.

I use noScript, so it's unlikely I would have allowed a script for something I didn't recognize from a page I was not familiar with. There was no active logging recording everything in the router, so it's possible another mac address was present or it's possible that a mac of an existing machine could have been used. As I noted, my wife's machine frequently would go off the network for no apparent reason.

Quote:

Well, securing your network s cheaper than forensically investigating what has happened. To secure it you should format everything and rebuild everything with new passwords and a new configuration. To investigate what has happened you need to unplug everything, copy it without modifying it, then using some very expensive software and some skills that you probably don't have and a considerable amount of time which you also don't have.

When I get a chance I will be reformatting and reinstalling. In the meantime, I have not done anything on the other machine so that I can try to find out a time and date stamp for the cache entry. Who's to say this won't happen again after a reformat? I need to know more about exactly what happened.

I really hate to say this, and please do not think I am being an a$$ or trying to insult you,but based on the information you have posted so far, I think this really is just a coincidence and you are being way too paranoid. I could be wrong.